Use Your Illusion: Secure Authentication Usable Anywhere

1
Use Your IllusionSecure Authentication Usable
Anywhere

• Eiji Hayashi
• Nicolas Christin
• Rachna Dhamija
• Adrian Perrig
• Carnegie Mellon CyLab Japan

2
Key Concept Distortion
You can recognize a baby now because you know the
original picture
3
Use Your Illusion
4
Graphical Authentication

• Passfaces
• Pass Points
• DAS (Draw-A-Secret)
• Déjà vu

5
Passfaces

• Faces are used as a graphical portfolio
• Preference could be a limitation

Cited from On User Choice in Graphical Password
Schemes, Darren Daivis et. al, 2004
6
Pass Points

• Use a sequence of clicks as a shared secret
• There are hot spots

Cited from Authentication Usin Graphical
Passwords Basic Results, Susan Wiednbeck et.
al, 2004
7
Most Straightforward Way

• Choose graphical portfolio from a set of pictures

8
Graphical Portfolio

• If a user can choose whatevergraphical
  portfolio
• If system assigns portfoliorandomly

9
Fundamental Tradeoff
Security
Memorability
10
Use Your Illusion

• Allow users to take/choose pictures by themselves
• Distort the pictures
• Assign the distorted pictures as graphical
  portfolio

11
Use Your Illusion

• Allow users to take/choose pictures by themselves
• Distort the pictures
• Assign the Distorted pictures as graphical token

Security
Memorability
12
Requirements for Distortion

• One-way
• Discarding precise shapes and colors
• Preserving rough shapes and colors

13
Oil Painting Filter

• Choose RGB values which appears most frequently
  in a neighborhood

14
Oil Painting Filter
15
Distortion Level

• If high, difficult to guessbut difficult to
  memorize
• If low, easy to memorizebut easy to guess

16
Distortion Level

• Two parameters affect distortion level
• If too high, not usable
• If too low, not secure

Security
Memorability
17
Low-Fidelity Test
Least distorted
Most distorted
18
Low-Fidelity Test
19
Low-Fidelity Test
20
Low-Fidelity Test
21
Low-Fidelity Test
22
Low-Fidelity Test
23
Low-Fidelity Test
Its a dog!!
24
Low-Fidelity Test
Difficult to guess w/o knowing original picture
25
Low-Fidelity Test
Cant recognize a dog
26
Low-Fidelity Test
Easy to recognize w/ knowing original picture
27
Low-Fidelity Test
Satisfies requirements
28
Prototype

• Implemented on Nokias cell-phone for usability
  test
• Also implemented on the web

29
Prototype
Demo
30
Usability Test

• 45 participants and for 1 week
• 54 participants and for 4 weeks

31
1st Usability Test

• 45 participants were divided into 3 groups
• Self-selected, Non-distorted
• Self-selected, distorted (Use Your Illusion)
• Imposed, highly-distorted

32
Self-selected, Non-distorted
33
Self-selected, Distorted
34
Imposed, Highly-distorted
35
Procedure
36
Success Rate
37
Authentication Time (Mean)
Imposed, Highly-distorted
Self-selected, Distorted
Self-selected, Non-distorted
38
Process of Memorization

• Participants assign meanings to distorted
  pictures
• Assigning meanings helps memorization

Mountain
Sea
Moai statue
39
2nd Usability Test

• 54 participants were divided into 3 groups
• Self-selected, Non-distorted
• Self-selected, Distorted
• Imposed, Distorted
• Authenticate
• On the 1st day
• 2 days after
• 1 week after
• 4 weeks after

40
Imposed, Distorted
41
Success Rate
42
Authentication Time (Mean)
Imposed, Distorted
Self-selected, Distorted
Self-selected, Non-distorted
43
Tolerance against Guessing Attack

• Original pictures are vulnerable
• Distorted pictures are more tolerant

44
Future Work

• Detailed usability test
• Long term test
• Find an optimal distortion
• Investigate a metric evaluating distortion level

45
Use Your Illusion

• Use distorted pictures as a portfolio
• As memorable as non-distorted pictures
• More memorable than imposed (highly-) distorted
  pictures
• Fits human memorization process
• More tolerant to guessing attack

46
Thank you for listening Prototype is available
on http//arima.okoze.net/illusion/ Please try it!